Subscribe

IE vulnerability exploited

A campaign is exploiting the recently reported IE vulnerability to target entities in Japan, researchers say.

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 25 Sept 2013
Users who have not yet done so are being urged by IE to install a FixIt tool as a temporary measure.
Users who have not yet done so are being urged by IE to install a FixIt tool as a temporary measure.

FireEye has uncovered a campaign that is taking advantage of the recently reported Internet Explorer (IE) zero-day vulnerability, to target organisations in Japan.

Dubbed "Operation DeputyDog", the campaign, according to FireEye, began as far back as 19 August. FireEye researchers say the attacks seem to be in the form of a large-scale intelligence-gathering operation and are using remote access tools to steal data from compromised machines, targeting government, hi-tech and manufacturing organisations in Japan.

Researchers at FireEye say they have been keeping a close eye on the activities of the threat actor responsible for this campaign, and confirm the same culprits were responsible for the attack on Bit9, in February this year.

Bit9 reported that a malicious third-party was able to illegally gain temporary access to one of its digital code-signing certificates that they then used to illegitimately sign malware.

Industry warnings

An advisory issued by Microsoft last week described the vulnerability as a remote code execution vulnerability that exists in the way IE "accesses an object in memory that has been deleted or has not been properly allocated".

It added that an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability, and that compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.

This is what the attacks have been doing, but it is not clear whether the sites used in the 'watering hole' attack have been cleaned up yet.

At the weekend, the escalation of the attacks, together with the severity of the IE zero-day, prompted the SANS Internet Storm Center to raise its threat level. "The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505. Accordingly, we're moving the InfoCon up to Yellow," the organisation said.

Temporary fix

Users who have not yet done so are being urged by IE to install a FixIt tool as a temporary measure until a patch is released.

The tool, CVE-2013-3893 MSHTML Shim Workaround, only applies to 32-bit installations, so other mitigations such as EMET 3.0 and 4.0 are also encouraged.

"While these attackers have demonstrated previously unknown zero-day exploits and a robust set of malware payloads, using the techniques described above, it is still possible for network defence professionals to develop a rich set of indicators that can be used to detect their attacks," added FireEye.

Share